News

Security Vulnerabilities in Legacy Intel and Lenovo Hardware Remain Unpatched, Leaving Devices Exposed to Hacking Threats

Leave a comment

Researchers from the security firm Binarly have discovered a serious vulnerability in the firmware of certain Lenovo and Intel products that could allow hackers to access sensitive information. The vulnerability is located in Lighttpd, an open-source web server that is widely used in various tech products, including firmware components.

The vulnerability was first identified in the summer of 2018, but the maintainers of Lighttpd quietly fixed the issue without formalizing it with a CVE identifier. As a result, many companies using Lighttpd did not receive the fix, leaving their products vulnerable to the bug.

According to Binarly researchers, the vulnerability can be exploited by a skilled cybercriminal to access sensitive information such as memory addresses, which could potentially be used to bypass security mechanisms like ASLR. However, the severity of the vulnerability is considered moderate, and it is not enough on its own to allow for a successful attack.

The impacted devices include certain Lenovo and Intel products, which are now end-of-life and will never receive any additional software updates. This means that these devices will remain vulnerable to the bug indefinitely.

When reached for comment, Lenovo stated that they are “aware of the AMI MegaRAC concern identified by Binarly” and are working with their supplier to assess any potential impacts on their products. Intel, on the other hand, confirmed that the affected device is end-of-life and will not receive any further updates.

While the vulnerability is serious, it is important to note that it is not enough on its own to allow for a successful attack. The bug primarily presents an opportunity for intrusion and compromise, rather than posing an immediate threat.

In conclusion, the discovery of this vulnerability highlights the importance of software updates and the need for companies to keep their products up-to-date with the latest security patches. It also underscores the potential risks associated with end-of-life devices, which can remain vulnerable to exploits even after they have been discontinued. As always, it is crucial for consumers and businesses alike to stay informed about potential security threats and take proactive measures to protect their devices and data.

Leave a Reply